Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for Amazon Cognito Identity

Amazon Cognito Identity (service prefix: cognito-identity) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon Cognito Identity

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
CreateIdentityPool Creates a new identity pool.

Write

DeleteIdentities Deletes identities from an identity pool. You can specify a list of 1-60 identities that you want to delete.

Write

DeleteIdentityPool Deletes a user pool. Once a pool is deleted, users will not be able to authenticate with the pool.

Write

identitypool*

DescribeIdentity Returns metadata related to the given identity, including when the identity was created and any associated linked logins.

Read

Write

DescribeIdentityPool Gets details about a particular identity pool, including the pool name, ID description, creation date, and current number of users.

Read

Write

identitypool*

GetCredentialsForIdentity Returns credentials for the provided identity ID.

Read

Write

GetId Generates (or retrieves) a Cognito ID. Supplying multiple logins will create an implicit linked account.

Write

GetIdentityPoolRoles Gets the roles for an identity pool.

Read

Write

identitypool*

GetOpenIdToken Gets an OpenID token, using a known Cognito ID.

Read

Write

GetOpenIdTokenForDeveloperIdentity Registers (or retrieves) a Cognito IdentityId and an OpenID Connect token for a user authenticated by your backend authentication process.

Read

Write

identitypool*

ListIdentities Lists the identities in a pool.

Read

Write

List

identitypool*

ListIdentityPools Lists all of the Cognito identity pools registered for your account.

Read

Write

List

LookupDeveloperIdentity Retrieves the IdentityID associated with a DeveloperUserIdentifier or the list of DeveloperUserIdentifiers associated with an IdentityId for an existing identity.

Read

Write

identitypool*

MergeDeveloperIdentities Merges two users having different IdentityIds, existing in the same identity pool, and identified by the same developer provider.

Write

identitypool*

SetIdentityPoolRoles Sets the roles for an identity pool. These roles are used when making calls to GetCredentialsForIdentity action.

Write

UnlinkDeveloperIdentity Unlinks a DeveloperUserIdentifier from an existing identity.

Write

identitypool*

UnlinkIdentity Unlinks a federated identity from an existing account.

Write

UpdateIdentityPool Updates a user pool.

Write

identitypool*

Resources Defined by Cognito Identity

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys

identitypool

arn:${Partition}:cognito-identity:${Region}:${Account}:identitypool/${IdentityPoolId}

Condition Keys for Amazon Cognito Identity

Cognito Identity has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.